diff --git a/apis/v1alpha1/dcgmexpoter_types.go b/apis/v1alpha1/dcgmexpoter_types.go index 628490a48..bac47ae1d 100644 --- a/apis/v1alpha1/dcgmexpoter_types.go +++ b/apis/v1alpha1/dcgmexpoter_types.go @@ -58,6 +58,15 @@ type DcgmExporterSpec struct { // If specified, indicates the pod's scheduling constraints // +optional Affinity *v1.Affinity `json:"affinity,omitempty"` + // In deployment, daemonset, or statefulset mode, this controls + // the security context settings for the primary application + // container. + // + // In sidecar mode, this controls the security context for the + // injected sidecar container. + // + // +optional + SecurityContext *v1.SecurityContext `json:"securityContext,omitempty"` } // DcgmExporterStatus defines the observed state of DcgmExporter. diff --git a/apis/v1alpha1/zz_generated.deepcopy.go b/apis/v1alpha1/zz_generated.deepcopy.go index 4d7355472..0b0eb6332 100644 --- a/apis/v1alpha1/zz_generated.deepcopy.go +++ b/apis/v1alpha1/zz_generated.deepcopy.go @@ -575,6 +575,11 @@ func (in *DcgmExporterSpec) DeepCopyInto(out *DcgmExporterSpec) { *out = new(corev1.Affinity) (*in).DeepCopyInto(*out) } + if in.SecurityContext != nil { + in, out := &in.SecurityContext, &out.SecurityContext + *out = new(corev1.SecurityContext) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DcgmExporterSpec. diff --git a/config/crd/bases/cloudwatch.aws.amazon.com_dcgmexporters.yaml b/config/crd/bases/cloudwatch.aws.amazon.com_dcgmexporters.yaml index 30aa743bc..e90f9dde7 100644 --- a/config/crd/bases/cloudwatch.aws.amazon.com_dcgmexporters.yaml +++ b/config/crd/bases/cloudwatch.aws.amazon.com_dcgmexporters.yaml @@ -1214,6 +1214,178 @@ spec: More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object + securityContext: + description: |- + In deployment, daemonset, or statefulset mode, this controls + the security context settings for the primary application + container. + + + In sidecar mode, this controls the security context for the + injected sidecar container. + properties: + allowPrivilegeEscalation: + description: |- + AllowPrivilegeEscalation controls whether a process can gain more + privileges than its parent process. This bool directly controls if + the no_new_privs flag will be set on the container process. + AllowPrivilegeEscalation is true always when the container is: + 1) run as Privileged + 2) has CAP_SYS_ADMIN + Note that this field cannot be set when spec.os.name is windows. + type: boolean + capabilities: + description: |- + The capabilities to add/drop when running containers. + Defaults to the default set of capabilities granted by the container runtime. + Note that this field cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX capabilities type + type: string + type: array + type: object + privileged: + description: |- + Run container in privileged mode. + Processes in privileged containers are essentially equivalent to root on the host. + Defaults to false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + procMount: + description: |- + procMount denotes the type of proc mount to use for the containers. + The default is DefaultProcMount which uses the container runtime defaults for + readonly paths and masked paths. + This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: |- + Whether this container has a read-only root filesystem. + Default is false. + Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: |- + The GID to run the entrypoint of the container process. + Uses runtime default if unset. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: |- + Indicates that the container must run as a non-root user. + If true, the Kubelet will validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start the container if it does. + If unset or false, no such validation will be performed. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: |- + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: |- + The SELinux context to be applied to the container. + If unspecified, the container runtime will allocate a random SELinux context for each + container. May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that applies to + the container. + type: string + role: + description: Role is a SELinux role label that applies to + the container. + type: string + type: + description: Type is a SELinux type label that applies to + the container. + type: string + user: + description: User is a SELinux user label that applies to + the container. + type: string + type: object + seccompProfile: + description: |- + The seccomp options to use by this container. If seccomp options are + provided at both the pod & container level, the container options + override the pod options. + Note that this field cannot be set when spec.os.name is windows. + properties: + localhostProfile: + description: |- + localhostProfile indicates a profile defined in a file on the node should be used. + The profile must be preconfigured on the node to work. + Must be a descending path, relative to the kubelet's configured seccomp profile location. + Must be set if type is "Localhost". Must NOT be set for any other type. + type: string + type: + description: |- + type indicates which kind of seccomp profile will be applied. + Valid options are: + + + Localhost - a profile defined in a file on the node should be used. + RuntimeDefault - the container runtime default profile should be used. + Unconfined - no profile should be applied. + type: string + required: + - type + type: object + windowsOptions: + description: |- + The Windows specific settings applied to all containers. + If unspecified, the options from the PodSecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name is linux. + properties: + gmsaCredentialSpec: + description: |- + GMSACredentialSpec is where the GMSA admission webhook + (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the + GMSA credential spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name of the GMSA + credential spec to use. + type: string + hostProcess: + description: |- + HostProcess determines if a container should be run as a 'Host Process' container. + All of a Pod's containers must have the same effective HostProcess value + (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). + In addition, if HostProcess is true then HostNetwork must also be set to true. + type: boolean + runAsUserName: + description: |- + The UserName in Windows to run the entrypoint of the container process. + Defaults to the user specified in image metadata if unspecified. + May also be set in PodSecurityContext. If set in both SecurityContext and + PodSecurityContext, the value specified in SecurityContext takes precedence. + type: string + type: object + type: object serviceAccount: description: |- ServiceAccount indicates the name of an existing service account to use with this instance. When set, diff --git a/docs/api.md b/docs/api.md index 885b2413f..3e4202348 100644 --- a/docs/api.md +++ b/docs/api.md @@ -18391,6 +18391,19 @@ used to open additional ports that can't be inferred by the operator, like for c Resources to set on the DCGM Exporter pods.
false + + securityContext + object + + In deployment, daemonset, or statefulset mode, this controls +the security context settings for the primary application +container. + + +In sidecar mode, this controls the security context for the +injected sidecar container.
+ + false serviceAccount string @@ -20510,6 +20523,346 @@ inside a container.
+### DcgmExporter.spec.securityContext +[↩ Parent](#dcgmexporterspec) + + + +In deployment, daemonset, or statefulset mode, this controls +the security context settings for the primary application +container. + + +In sidecar mode, this controls the security context for the +injected sidecar container. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
allowPrivilegeEscalationboolean + AllowPrivilegeEscalation controls whether a process can gain more +privileges than its parent process. This bool directly controls if +the no_new_privs flag will be set on the container process. +AllowPrivilegeEscalation is true always when the container is: +1) run as Privileged +2) has CAP_SYS_ADMIN +Note that this field cannot be set when spec.os.name is windows.
+ 		false
capabilitiesobject + The capabilities to add/drop when running containers. +Defaults to the default set of capabilities granted by the container runtime. +Note that this field cannot be set when spec.os.name is windows.
+ 		false
privilegedboolean + Run container in privileged mode. +Processes in privileged containers are essentially equivalent to root on the host. +Defaults to false. +Note that this field cannot be set when spec.os.name is windows.
+ 		false
procMountstring + procMount denotes the type of proc mount to use for the containers. +The default is DefaultProcMount which uses the container runtime defaults for +readonly paths and masked paths. +This requires the ProcMountType feature flag to be enabled. +Note that this field cannot be set when spec.os.name is windows.
+ 		false
readOnlyRootFilesystemboolean + Whether this container has a read-only root filesystem. +Default is false. +Note that this field cannot be set when spec.os.name is windows.
+ 		false
runAsGroupinteger + The GID to run the entrypoint of the container process. +Uses runtime default if unset. +May also be set in PodSecurityContext. If set in both SecurityContext and +PodSecurityContext, the value specified in SecurityContext takes precedence. +Note that this field cannot be set when spec.os.name is windows.
+
+ Format: int64
+ 		false
runAsNonRootboolean + Indicates that the container must run as a non-root user. +If true, the Kubelet will validate the image at runtime to ensure that it +does not run as UID 0 (root) and fail to start the container if it does. +If unset or false, no such validation will be performed. +May also be set in PodSecurityContext. If set in both SecurityContext and +PodSecurityContext, the value specified in SecurityContext takes precedence.
+ 		false
runAsUserinteger + The UID to run the entrypoint of the container process. +Defaults to user specified in image metadata if unspecified. +May also be set in PodSecurityContext. If set in both SecurityContext and +PodSecurityContext, the value specified in SecurityContext takes precedence. +Note that this field cannot be set when spec.os.name is windows.
+
+ Format: int64
+ 		false
seLinuxOptionsobject + The SELinux context to be applied to the container. +If unspecified, the container runtime will allocate a random SELinux context for each +container. May also be set in PodSecurityContext. If set in both SecurityContext and +PodSecurityContext, the value specified in SecurityContext takes precedence. +Note that this field cannot be set when spec.os.name is windows.
+ 		false
seccompProfileobject + The seccomp options to use by this container. If seccomp options are +provided at both the pod & container level, the container options +override the pod options. +Note that this field cannot be set when spec.os.name is windows.
+ 		false
windowsOptionsobject + The Windows specific settings applied to all containers. +If unspecified, the options from the PodSecurityContext will be used. +If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. +Note that this field cannot be set when spec.os.name is linux.
+ 		false
+ + +### DcgmExporter.spec.securityContext.capabilities +[↩ Parent](#dcgmexporterspecsecuritycontext) + + + +The capabilities to add/drop when running containers. +Defaults to the default set of capabilities granted by the container runtime. +Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
add[]string + Added capabilities
+ 		false
drop[]string + Removed capabilities
+ 		false
+ + +### DcgmExporter.spec.securityContext.seLinuxOptions +[↩ Parent](#dcgmexporterspecsecuritycontext) + + + +The SELinux context to be applied to the container. +If unspecified, the container runtime will allocate a random SELinux context for each +container. May also be set in PodSecurityContext. If set in both SecurityContext and +PodSecurityContext, the value specified in SecurityContext takes precedence. +Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
levelstring + Level is SELinux level label that applies to the container.
+ 		false
rolestring + Role is a SELinux role label that applies to the container.
+ 		false
typestring + Type is a SELinux type label that applies to the container.
+ 		false
userstring + User is a SELinux user label that applies to the container.
+ 		false
+ + +### DcgmExporter.spec.securityContext.seccompProfile +[↩ Parent](#dcgmexporterspecsecuritycontext) + + + +The seccomp options to use by this container. If seccomp options are +provided at both the pod & container level, the container options +override the pod options. +Note that this field cannot be set when spec.os.name is windows. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
typestring + type indicates which kind of seccomp profile will be applied. +Valid options are: + + +Localhost - a profile defined in a file on the node should be used. +RuntimeDefault - the container runtime default profile should be used. +Unconfined - no profile should be applied.
+ 		true
localhostProfilestring + localhostProfile indicates a profile defined in a file on the node should be used. +The profile must be preconfigured on the node to work. +Must be a descending path, relative to the kubelet's configured seccomp profile location. +Must be set if type is "Localhost". Must NOT be set for any other type.
+ 		false
+ + +### DcgmExporter.spec.securityContext.windowsOptions +[↩ Parent](#dcgmexporterspecsecuritycontext) + + + +The Windows specific settings applied to all containers. +If unspecified, the options from the PodSecurityContext will be used. +If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. +Note that this field cannot be set when spec.os.name is linux. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
gmsaCredentialSpecstring + GMSACredentialSpec is where the GMSA admission webhook +(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the +GMSA credential spec named by the GMSACredentialSpecName field.
+ 		false
gmsaCredentialSpecNamestring + GMSACredentialSpecName is the name of the GMSA credential spec to use.
+ 		false
hostProcessboolean + HostProcess determines if a container should be run as a 'Host Process' container. +All of a Pod's containers must have the same effective HostProcess value +(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). +In addition, if HostProcess is true then HostNetwork must also be set to true.
+ 		false
runAsUserNamestring + The UserName in Windows to run the entrypoint of the container process. +Defaults to the user specified in image metadata if unspecified. +May also be set in PodSecurityContext. If set in both SecurityContext and +PodSecurityContext, the value specified in SecurityContext takes precedence.
+ 		false
+ + ### DcgmExporter.spec.tolerations[index] [↩ Parent](#dcgmexporterspec) diff --git a/internal/manifests/dcgmexporter/container.go b/internal/manifests/dcgmexporter/container.go index fb5d8e082..cb5961ab4 100644 --- a/internal/manifests/dcgmexporter/container.go +++ b/internal/manifests/dcgmexporter/container.go @@ -75,12 +75,13 @@ func Container(cfg config.Config, logger logr.Logger, exporter v1alpha1.DcgmExpo }) return corev1.Container{ - Name: ComponentDcgmExporter, - Image: image, - Args: args, - Resources: exporter.Spec.Resources, - Env: envVars, - Ports: ports, - VolumeMounts: volumeMounts, + Name: ComponentDcgmExporter, + Image: image, + Args: args, + Resources: exporter.Spec.Resources, + Env: envVars, + Ports: ports, + VolumeMounts: volumeMounts, + SecurityContext: exporter.Spec.SecurityContext, } }